Solved

Automatically log user off from Domain after x minutes of inacitivity.

Posted on 2004-09-11
19
2,773 Views
Last Modified: 2012-06-22
How can I configure a domain account so that the domain user is automatically logged off after x minutes of inactivity? Is it possible to create a group policy for this?

I want to configure and implement this from my server, since we occasionally have a problem with employees with quite high privilages who forget to log out and therefore present a security risk.

Sheldon

0
Comment
Question by:Sheldonh
  • 8
  • 4
  • 3
  • +3
19 Comments
 

Expert Comment

by:AndyBeamish
Comment Utility
I'm assuming you're running Windows 2000 or better on the servers and workstations...

Can I suggest an ultra-simple solution: put the screen saver on, for example, 5 minutes and tick the box for "On resume, password protect". Whilst this doesn't explicitly log the user out from the network it does lock the machine until a user or admin password is entered.

Going a stage further you can lock down the screen saver options under gpedit. Have a browse to User Configuration / Administrative Templates / Control Panel / Display. Just make sure the users don't do the usual "password-on-a-post-it" !

Actually, I wouldn't recommend automatically logging off users anyway as they're bound to be half way through some vital report just as they break for lunch :)

Regards,

Andy
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
You can certainly ensure that your users logoff.  We worked on several of these threads already...  here are the links:

http://www.experts-exchange.com/Operating_Systems/Win2000/Q_20860048.html

http://www.experts-exchange.com/Operating_Systems/Win2000/Q_20878958.html

Good luck..

FE
0
 

Expert Comment

by:naramalai
Comment Utility
The Automatically log off users when logon time expires, at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options, should be re-titled as Automatically disconnect users when logon time expires.

This policy affects the Server Message Block (SMB) component of a Windows 2000 server. When the policy is Enabled, the client sessions with the SMB server are forcibly disconnected when the client's logon hours expires.

STEP:
1) This policy affects all the computers in the domain, unlike Automatically log off users when logon time expires (local), which only affects the computers upon which it is applied.
2) When you configure a user's Logon Hours, they are prevented from logging on during unauthorized times, but they are not disconnected when their time expires?

To forcibly disconnect the user when their time expires, implement one of the following Group Policies:

Automatically log off users when logon time expires at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. This policy affects the SMB component of a Windows 2000 server. When enabled, the policy causes client sessions with the SMB server to be forcibly disconnected when the client's logon hours expire. This policy effects all the computers in the domain.

Automatically log off users when logon time expires (local) at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. This policy is the Local Computer policy default.

3) When you enforce logon hours restrictions by using to Group Policy to navigating to Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ Security Options and enable Automatically log off users when logon time expires, users whose logon times settings prevent logon at this time are NOT permitted to log on. However, users who are logged on and should be logged off are not?

If this happens in your domain, try the following:

1. Open a CMD prompt.

2. Type:

net accounts /forcelogoff:<minutes> /domain

where <minutes> is the number of minutes after the log on time expires that a user will be forced off. The user will receive a warning message <minutes> before the forced log off.

NOTE : The default setting for the /forcelogoff switch is no. When no is set, forced logoff is prevented. To see the current setting, open a CMD prompt and type net accounts. If this returns:

Force user logoff how long after time expires?: Never

then forced logoff is prevented. I would NOT set <minutes> to 0.

0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Just a comment nara...   EE recommends that when you copy something that you give credit to the original site...

For instance:  (if this is where you got that..  it is linked from the threads I posted above..)

http://www.jsiinc.com/subl/tip5500/rh5566.htm
0
 
LVL 17

Expert Comment

by:Jared Luker
Comment Utility
You could try something along these lines:

http://www.jsiinc.com/subh/tip3500/rh3590.htm
0
 

Expert Comment

by:exids
Comment Utility
Why don't you just setup the screen saver to password protect the system after a certain amount of time?  You can even do it in group policy.  It's so much less complicated.

http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-us/prork/prdb_cdk_ugxd.asp
0
 

Expert Comment

by:exids
Comment Utility
Read the first post again
0
 

Expert Comment

by:exids
Comment Utility
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Yes, but he is asking how to force a logoff....  There are good reasons to do this, other than just security...   Alternatives are always nice to add, but we should first focus on his primary question..

FE
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Expert Comment

by:exids
Comment Utility
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Why would you copy the same link I provided above..????   :)
0
 
LVL 1

Author Comment

by:Sheldonh
Comment Utility
Hi all

Thank you all for your replies. A few things to clear up:

First, A lot said that I should use the screensaver password thing. Can't, when computer resumes, then only the administrator or the SAME USER that was logged on when the screensaver came on may resume the session. This is a problem, because it is not always the case that the same user uses the same computer all the time.

Second, A lot was also said about the force logoff of users AFTER LOGON TIME EXPIRES. Well, we don't have set logon times and because we are in a multi-user "per computer" environment, this won't help anyway. If I say that you can only logon before 17:00 everyday and it is after 17:00 and a user is still logged on then will it only automatically log off after the set time period after 17:00. What if the user of a computer walks away for 30 minutes at say, 13:00, then it is still before 17:00 and he won't be logged off automatically.

Now, if user walks away and another user sits in front of that same computer after say 30 minutes, then that computer should already be logged off, so that the other user can log on.

Now I have followed some of the links provided, and I have seen some discussions about

"Automatically log off users" and/or "Amount of idle time required before disconnecting session"

but I can't find the above options. I do however find the "Amount of idle time before suspending network session" option. I have tried to apply this to the domain and it doesn't seem to work. I applied it to the domain under "Domain Security Policy" and under GPO. I haven't seen any result. All the other policy settings that I apply are working, except this one.

Here is a Microsoft help description for "Amount of idle time before suspending network session"

Description
Determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity.

Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished.


I understand this as the user's session being suspended, and then later automatically being started again, but for the same user. I don't think this is the same as logging off, I could be wrong.

There is also an option under a USER's Account properties under the "Sessions" tab for "Idle Time", and then underneath that the action to take after the set idle time. But that didn't work either. If it did work, then that would mean I would have to set this option for each and every user, about 200+ times...!

So, I need a GPO setting, that will automatically LOGOFF a user after a set time so that any other user will be able to log onto that same machine. No admin accounts needed etc...

Thanks again
0
 
LVL 40

Accepted Solution

by:
Fatal_Exception earned 250 total points
Comment Utility
Did you try this..  Unfortunately it is not a GPO, but it does reflect one way to go about this...

Workstations that are left logged on may represent a security risk for an organization. Many networks allow users to leave programs running and to remain logged on to their computers for an undefined time period. The Microsoft Windows 2000 Resource Kit includes the Winexit.scr tool that you can use to automatically quit a user's programs and to log the user off of the workstation.

How to Configure the Winexit.scr Screen Saver:

Use Windows Explorer to locate the Winexit.scr file in the Windows 2000 Resource Kit folder on your hard disk.
Right-click the Winexit.scr file, and then click Install.
The Display Properties dialog box appears with the Screen Saver tab active. The Logoff Screen Saver entry is automatically selected. Click Settings.
Select the Force application termination check box to force programs to quit.
In the Countdown for n seconds box, type the number of seconds for which the logoff dialog box appears before the user is logged off.
In the Logoff Message box, type the message that appears during the logoff countdown. Click OK.
In the Display Properties dialog box, click Preview.
You see the Auto Logoff dialog box. It displays the logoff message and the countdown timer. Click Cancel.
Click OK.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
And here is another article that addresses the Winexit method..

http://www.win2000mag.com/Articles/Index.cfm?ArticleID=4541
0
 
LVL 1

Author Comment

by:Sheldonh
Comment Utility
Hi All

Thank you FE for pointing out Winexit.scr to me. I was aware of this feature before, but wanted a better way of implementing this on a domain. I have come to realise that Microsoft actually does not have such a feature. So they released Winexit Screensaver with a Resource Kit. It is still a bit of a hassle to have the screensaver installed on all machines, and then there is also a bug in the screensaver that can be fixed by editing the registry of EACH MACHINE!! Permissions have to be set...

So, I will use this as my solution, seeing that there is nothing else.

Thanks for nothing Microsoft!!!

Cheers

Sheldon grabs the nearest vine and exits Tarzan style...
0
 
LVL 17

Expert Comment

by:Jared Luker
Comment Utility
Sheldon,

If you would like some help in scripting the registry change in your startup/login scripts, just let me know.

Jared
0
 
LVL 1

Author Comment

by:Sheldonh
Comment Utility
Thanks JL

I will do so...

Cheers
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Yea..  MS should address this..  Perhaps is Service Pack 10..???  :)

But thanks...  and good luck with the deployment..

FE
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Introduction Often we come across situations wherein our batch files would be needing to reboot Windows for a variety of reasons. A few of them would be like: (1) Setup files have been updated whose changes can take effect only after a reboot …
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now